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(57) Protection of real-time data such as voice data 
exchanged as packets between a mobile electronic de- 
vice (1 0) and a VPN gateway (1 22) during a media ses- 
sion over a communications link (130) that includes a 
wireless network (132). A first VPN connection (136) is 
established between the mobile electronic device (10) 
and the VPN gateway (1 22) through the communications 
link (130), the first VPN connection (136) using key- 
based encryption to protect data exchanged there- 
through. While the first VPN connection (136) is estab- 
lished, a second VPN connection (138) is established 
between the mobile electronic device (10) and the VPN 
gateway (122) through the communications link (130), 
the second VPN connection (138) using key-based en- 
cryption to protect data exchanged therethrough. Real- 
time data packets are exchanged between the mobile 
electronic device (10) and the VPN gateway (122) 
through the second VPN connection (138). 
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Description 

[0001 ] The present application relates to virtual private 
networks for protecting real-time media data such as 
voice data, including data transmitted from and to mobile 
electronic devices. 

[0002] There is a growing interest in packet based 
voice telephone, such as voice over Internet protocol 
(VoIP) telephone, as an alternative to traditional public 
switched telephone networks (PSTNs). Enterprises such 
as corporations and other organizations are adopting 
VoIP as an alternative to traditional telephone systems. 
In some environments, VoIP is applied to mobile phones. 
As a security measure, enterprises typically use a virtual 
private network (VPN) for communications between de- 
vices within the enterprise network and external devices, 
such that all data exchanged with an external device is 
encrypted. However, the algorithms traditionally applied 
to non-time sensitive data communications may cause 
degradation or excessive delays when applied to time- 
sensitive media data such as voice data, especially when 
such algorithms are applied by a resource-limited mobile 
phone device. Additionally, the use of resource intensive 
encryption/decryption algorithms for real-time media da- 
ta on a mobile device can in some cases effectively cause 
other applications on the device to slow down. 
[0003] Accordingly, a system and method for securing 
wireless media data such as voice data in a resource- 
limited environment is desired. 

[0004] Embodiments are described in the present ap- 
plication for a method and system for establishing two 
secure VPN connections ortunnels through a communi- 
cations link between a mobile device and a network. One 
of the VPN tunnels is used for the exchange of media 
data such as voice data and the other of the VPN tunnels 
is used to exchange key data that is used for encrypting 
and decrypting the media data. 

[0005] In one aspect, the present application provides 
a method for protecting real-time data exchanged as 
packets between a mobile electronic device (10) and a 
VPN gateway (1 22) during a media session over a com- 
munications link (130) that includes a wireless network 
(1 32). The method includes: establishing a first VPN con- 
nection (136) between the mobile electronic device (10) 
and the VPN gateway (1 22) through the communications 
link (130), the first VPN connection (136) using key- 
based encryption to protect data exchanged there- 
through; establishing, while the first VPN connection 
(1 36) is established, a second VPN connection (1 38) be- 
tween the mobile electronic device (10) and the VPN 
gateway (122) through the communications link (130), 
the second VPN connection (138) using key-based en- 
cryption to protect data exchanged therethrough; and ex- 
changing real-time data packets between the mobile 
electronic device (10) and the VPN gateway (122) 
through the second VPN connection (138). 
[0006] In another aspect, the present application pro- 
vides a mobile electronic device for engaging in a media 


session in which real-time data packets are exchanged 
with a remote location. The mobile device includes a wire- 
less communications subsystem (124,126) for exchang- 
ing data packets with the remote location (120) through 
5 a communications link (1 30) that includes a wireless net- 
work (132), and a processor for controlling the commu- 
nications subsystem. The device also includes a VPN 
module (112) associated with the processor for estab- 
lishing co-existing first and second VPN connections 
10 (136, 138) through the communications link (130) be- 
tween the mobile electronic device (10) and the remote 
location and exchanging there-between real-time data 
through the second VPN connection (138). 
[0007] In yet another aspect, the present application 
15 provides a VPN gateway (122) for exchanging real-time 
data packets with a remote device (10) over a commu- 
nications link (1 30), the gateway (1 22) having means for 
establishing co-existing first and second VPN connec- 
tions (136, 138) through the communications link (130) 
20 between the VPN gateway (1 22) and the remote device 
(10) location and exchanging there-between real-time 
data through the second VPN connection (138). 

BRIEF DESCRIPTION OF THE DRAWINGS 

25 

[0008] Embodiments will now be described, by way of 
example only, with reference to the attached Figures, 
wherein: 

[0009] Figure 1 is a block diagram of acommunications 
30 system incorporating example embodiments; 

[0010] Figure 2 is a block diagram of a process for 
establishing secure communications for media data such 
as voice data in the communications system of Figure 1 ; 
and 

35 [0011] Figure 3 is a block diagram showing an example 
of a mobile electronic device that can be used in the com- 
munications systems of Figure 1. 
[0012] Like reference numerals are used throughout 
the Figures to denote similar elements and features. 

40 

DETAILED DESCRIPTION OF PREFERRED EMBOD- 
IMENT 

[0013] Referring first to Figure 1 , there is a block dia- 
45 gram of a communication system 100 according to at 
least one example embodiment of the present invention. 
The communication system 100 includes a mobile elec- 
tronic device 10 and an enterprise network 120 which 
exchange data through a communications link 130. The 
50 mobile electronic device 1 0 and enterprise network 1 20 
are configured to exchange packets of real-time data 
such as voice data over the communications link 130 
during Voice-over-IP (VoIP) calls in which media ses- 
sions are established between the mobile device 1 0 and 
55 a terminal device 126. During VoIP media sessions, data 
packets are exchanged over an IP-based network using 
real-time transport protocol (RTP) (or other real-time 
transport protocols) on top of the user datagram protocol 
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(UDP) (or other suitable protocol). Session initiation pro- 
tocol (SIP) or other suitable control protocols are em- 
ployed to set-up, manage, control and/or tear down me- 
dia paths between termination points. 
[0014] In Figure 1, the terminal device 126 is shown 
as part of the enterprise network 120, however the ter- 
minal device 1 26 may be external to the network 1 20 and 
may be a further mobile device 1 0 connected to the net- 
work by communications linkthat is the same as orsimilar 
to communications link 130. 

[0015] Communications link 130 provides a path for 
VoIP data between mobile device 10 and the enterprise 
network 1 20 and includes one or more wireless networks 
132. In some example embodiments, the communica- 
tions link also includes one or more wired network 134 
portions, however in some embodiments the wireless 
network 132 is connected directly to the enterprise net- 
work 120. In example embodiments, wireless network 
1 32 includes a wireless local area network (WLAN) which 
conforms to IEEE 802.1 1 standards, for example 802.11 
b and/or 802.1 1g, or Bluetooth™, however other com- 
munications protocols could also be used for the WLAN. 
In some example embodiments, instead of or in addition 
to a WLAN, wireless network 132 includes a wireless 
wide area network (WAN) that is a packet based cellular 
network. The wireless WAN can be or include any of a 
number of types of network including by way of non-lim- 
iting example, Mobitex Radio Network, DataTAC, GSM 
(Global System for Mobile Communication), GPRS 
(General Packet Radio System), TDMA (Time Division 
Multiple Access), CDMA (Code Division Multiple Ac- 
cess), CDPD (Cellular Digital Packet Data), iDEN (inte- 
grated Digital Enhanced Network) or various other third 
generation networks such as EDGE (Enhanced Data 
rates for GSM Evolution) or UMTS (Universal Mobile Tel- 
ecommunications Systems) or EvDO (Evolution Data 
Only). 

[001 6] The wired network 1 34 includes, in various ex- 
ample embodiments, the Internet, a further enterprise 
intranet or network, a direct connection, a public switched 
telephone network PSTN, and/or other wide area or local 
area networks across which data packets can travel. 
[001 7] In order to provide for secure communications, 
the enterprise network 120 includes a virtual private net- 
work (VPN) gateway 122 for establishing secure VPN 
connections ortunnels with external devices such as mo- 
bile electronic device 1 0. The VPN gateway 122 can be 
implemented on a computer such as a server running 
suitable VPN software. The enterprise network 120 also 
includes a session initiation protocol (SIP) gateway 124 
forsetting-up, managing, controlling and/ortearing down 
media paths between the mobile electronic device 10 
and terminal device 126. The SIP gateway 124 can be 
implemented on a computer such as a server running 
suitable SIP software. In some embodiments, SIP gate- 
way 1 24 is replaced with a gateway using a different con- 
trol protocol. 

[001 8] Although only a single mobile electronic device 


1 0 is shown in Figure 1 , communications system 1 00 will 
typically include several of such devices. As suggested 
above, terminal device 126 can be a mobile electronic 
device 1 0. In one example embodiment, mobile electron- 

5 ic devices 1 0 are handheld two-way mobile communica- 
tion devices 10 having VoIP voice communication and 
data communication capabilities. In an example embod- 
iment, the devices 1 0 have the capability to communicate 
with other computer systems on the Internet. In various 

10 embodiments, mobile electronic devices 1 0 may include, 
by way of non limiting example, multiple-mode commu- 
nication devices configured for both data and voice com- 
munication, mobile telephones, and PDAs enabled for 
wireless phone communications. 

15 [0019] The mobile electronic device 10 includes a VPN 
module 1 12 for establishing secure encrypted commu- 
nications through the communications link 130 with the 
VPN gateway 122 of enterprise network 120. As will be 
explained in greater detail below, in example embodi- 

20 ments of the invention, the VPN module 112 and VPN 
gateway 1 22 are configured to establish a first or primary 
secure VPN connection or tunnel 136 and a secondary 
secure VPN connection ortunnel 1 38 between the mobile 
electronic device 10 and the enterprise network 120 

25 through communications link 130. The primary secure 
VPN connection 136 is used to exchange non-real-time 
data over communications link 130 and may be set up 
for long time periods as determined by the VPN gateway 
1 22. The secondary secure VPN connection 1 38 is used 

30 to exchange real-time media data such as voice data 
over communications link 130, and will generally be set 
up for a much shorter duration than the primary secure 
VPN connection 138, for example, for the length of a 
VoIP call or media session. A less resource intensive 

35 encryption algorithm and/or encryption technique is used 
for the secondary VPN connection 1 38 than the primary 
VPN connection 1 36, thereby allowing time sensitive da- 
ta to be processed faster than if sent through the primary 
VPN connection 136. The primary VPN connection 136 

40 is used to exchange shared secrets, for example seeds, 
used to establish the keys for encrypting and decrypting 
data that is sent through the secondary VPN connection 
138. 

[0020] An overview having been provided, a more de- 
45 tailed explanation will now be provided with reference to 
Figure 1 and the block diagram of Figure 2 which illus- 
trates a process 200 for protecting real-time data packets 
according to example embodiments of the invention. As 
indicated in step 202, a first or primary secure VPN con- 
50 nection 136 is established through the communications 
link 130 between the VPN gateway 122 of network 120 
and the mobile device 10. In an example embodiment, 
the primary secure VPN connection 136 uses a shared 
secret or keys previously stored on mobile device 1 0 and 
55 VPN gateway 1 22 for encrypting data sent over the com- 
munications link 1 30. While the communications link 1 30 
is maintained, the primary VPN connection 136 will last 
for a duration set by the VPN gateway 1 22 or negotiated 
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between the gateway 1 22 and the mobile device 1 0. The 
primary VPN connection 1 36 is in example embodiments 
a conventional VPN connection, and could for example 
employ triple DES (data encryption standard) or AES (ad- 
vanced encryption standard). Data that is not particularly 
time sensitive is exchanged between the VPN gateway 
1 22 and the mobile device 1 0 over the primary VPN con- 
nection 136 through the communications link 130. For 
example, e-mail messages, text messages, and file 
downloads and uploads can be exchanged over the pri- 
mary VPN connection 136. 

[0021 ] As indicated above, the mobile device 1 0 is en- 
abled for packet based voice communications, and in this 
regard includes a phone module 114 for establishing 
VoIP media sessions with a terminal device 1 26 via the 
communications link 1 30. SIP gateway 1 24 manages the 
setup andteardown of such mediasessions. As indicated 
in step 204, when a media session between the mobile 
device and the terminal device 1 26 is set up, a secondary 
VPN connection 138 is established through the commu- 
nications link 1 30 between VPN gateway 1 22 and mobile 
device 10 for media data such as voice data that is ex- 
changed during the media session. In example embod- 
iments, the VPN module 1 1 2 on device 1 0 and the VPN 
gateway 122 each include respective VoIP VPN sub- 
modules 116, 128 for negotiating and maintaining the 
secondary VPN connection 138 during the VoIP media 
session. Sub-modules 1 1 6, 1 28 are, in at least some ex- 
ample embodiments implemented by software instruc- 
tions executed by micro-processors. In example embod- 
iments, the encryption method used in the secondary 
VPN connection 1 38 for protecting the media data is sim- 
pler and less resource intensive that that used in the pri- 
mary VPN connection 136. This reduces the possibility 
that time-sensitive voice data will be degraded through 
the encryption and decryption process at the resource 
limited mobile device 10. For example, in at least some 
embodiments, the encryption keys used for the second- 
ary VPN connection 1 38 are smaller than those used for 
the primary VPN connection 136 such that secondary 
VPN connection 1 38 uses a lower-bit encryption than the 
primary VPN connection 1 36. Additionally, or alternative- 
ly, simpler encryption techniques may be used for the 
secondary VPN connection 1 38 than those used for the 
primary VPN connection 1 36. By way of non-limiting ex- 
ample, if a triple DES encryption (i.e. encrypt with one 
key, decrypt with a second key, than encrypt with a third 
key, then transmit) is used for the primary VPN connec- 
tion, then single DES-type encryption may be used in the 
secondary VPN connection 138. 
[0022] In example embodiments, to compensate for 
the use of simpler encryption keys and/or techniques in 
the secondary VPN connection 138, the keys used for 
the secondary VPN connection 138 are changed more 
frequently than those used for the primary VPN connec- 
tion 136. The primary VPN connection 136 is used as a 
secure channel to exchange key information used by the 
device 1 0 and VPN gateway 122 to establish and update 


the encryption and decryption keys used for the second- 
ary VPN connection 1 38. In one configuration, upon set- 
up of the media session, the primary VPN connection 
1 36 is used to exchange a shared secret such as a seed. 

5 The seed is then used at the VoIP VPN modules 116, 
1 28 to establish the key or keys used for data encryption/ 
decryption for the secondary VPN connection 138. In 
some embodiments the seed is the encryption key. 
[0023] As indicated in step 206, the keys used for the 

10 secondary VPN connection 1 38 are changed or updated 
throughout the media session. In order to update the 
keys, during the media session, updated seeds are pe- 
riodically generated by the VoIP VPN Module 128 of the 
VPN gateway 122 and transmitted through the primary 

15 VPN connection 136 to the mobile device 10. Each up- 
dated seed is used at the VoIP VPN modules 116, 128 
to establish new key or keys for data encryption/decryp- 
tion for the secondary VPN connection 138 until a new 
updated seed is generated and transmitted. In one con- 

20 figuration, the VoIP VPN Module 128 is configured to 
generate an updated seed at regular periodic intervals 
throughout the media session. In some embodiments, 
the duration of the periodic intervals and/or the size of 
the seed are configurable values that can be set accord- 

25 jng to an enterprise's IT policy. In some embodiments, 
the party making a call is presented with the option, when 
making the call, of selecting a security level for a call. A 
higher security level for secondary VPN connection 138 
would use shorter intervals between updated seeds 

30 and/or longer seeds than a lower security level. 

[0024] I n at least some example embodiments, the se- 
curity level is automatically adapted by Vol P VPN module 
128 based on characteristics of the media session. In 
one such configuration, the security level is determined 

35 based on the identification of either one or both of the 
mobile device 1 0 and the terminal device 1 26, with short- 
er seed change intervals and/or longer seeds and/or dif- 
ferent algorithms being used for higher security levels 
than lower security levels. In one example, a security 

40 database 1 29 maintained at the enterprise network 1 20 
for use by the VoIP VPN module 128 and/or SIP gateway 
1 24 is used for categorizing media sessions into different 
security level classifications. In this regard, in one con- 
figuration the security database 129 categorizes calls 

45 based on device addresses (which can include phone 
numbers in at least one embodiment) such that at least 
some known device addresses are associated in the se- 
curity database with predetermined security levels. 
When a media session is established, the VoIP VPN 

50 module 128 references the security database to deter- 
mine if either the initiating or destination device has an 
address (for example a telephone number) associated 
with a security level in the security database and if so 
uses the appropriate security level during the media ses- 

55 sion. Uncategorised device addresses are assigned a 
default security level. 

[0025] In some example embodiments, a contacts da- 
tabase 1 1 8 is maintained at the mobile device 1 0, and in 
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addition to or in place of the categorized addresses in 
the security database 1 29 at the enterprise network 1 20, 
at least some of the addresses in the contacts database 
118 are categorized with security levels. When a tele- 
phone call is made to one of the categorized addresses, 
the associated security level is referenced by the device 
VoIP VPN module 1 16and applied to the secondary VPN 
connection 138 that is set up for the media session used 
forthecall. In one configuration of such embodiment, the 
user of device 10 can configure the security level used 
for calls to phone numbers in the contacts database 1 1 8. 
[0026] In some example embodiments, adaptive call 
profiles are maintained in the enterprise security data- 
base 129 and/or the contacts database 1 18 of individual 
mobile devices 1 0 for selected device addresses. For 
example, average and/or median call durations between 
device addresses that repeatedly call each other are 
tracked such that when a media session is established 
a security level for the secondary VPN connection 138 
is selected based on the anticipated call duration. When 
the call profiles for a pair of device addresses indicates 
that calls or media sessions between the devices typically 
last a long time a higher security level (resulting in either 
a longer seed and/or more seed updates) is applied than 
if the call profile indicates a shorter typical call duration. 
Thus, calls between parties that typically call each other 
for long periods, for example 1 5 minutes, will have a high- 
ersecurity level applied in the secondary VPN connection 
1 38 than calls between parties that typically last shorter 
periods, for example 5 minutes. 

[0027] As indicated in step 208, the secondary VPN 
connection 138 is terminated when the media session 
that the connection was set up for is terminated. Thus, 
in example embodiments the secondary VPN connection 
138 is set up with the media session it is intended to 
protect and then terminated at the end of such media 
session. 

[0028] Although in respect of the embodiments de- 
scribed the key information for secondary VPN connec- 
tion 138 is generated at the VPN gateway 122 and set 
to mobile electronic device 1 0, in some embodiments the 
key information can be generated at mobile electronic 
device 1 0 andthen sent overthe primary VPN connection 
136 to the VPN gateway 122. 

[0029] An example of a mobile electronic device 10 
with which at least some embodiments of the invention 
may be used is shown in Figure 3. The device 1 0 includes 
wireless WAN communication subsystem 124 for two- 
way communications with a wireless WAN and a WLAN 
communication subsystem 1 26 for two way communica- 
tions with a WLAN. Communications subsystems 124 
and 126 include RF transceivers and may also include 
signal processors such as DSPs for example. The device 
1 0 includes a microprocessor 38 that controls the overall 
operation of the device. The microprocessor 38 interacts 
with communications subsystems 124 and 126 and also 
interacts with further device subsystems such as the dis- 
play 22, flash memory 24, random access memory 


(RAM) 26, auxiliary input/output (I/O) subsystems 28 
(which may include a thumb-wheel, for example), serial 
port 30 (which may include a USB port, for example), 
keyboard or keypad 32, speaker 34, microphone 36, and 

5 any other device subsystems generally designated as 42. 
[0030] Operating system software 54 and various soft- 
ware applications 58 used by the microprocessor 38 are, 
in one example embodiment, stored in a persistent store 
such as flash memory 24 orsimilar storage element. Soft- 

10 ware applications 58 may include a wide range of appli- 
cations, including an address book application (which ref- 
erences contacts database 118), a messaging applica- 
tion, acalendar application, and/or a notepad application. 
Included among applications 58 is the software for im- 

15 plementing telephone module 1 14 for enabling the mo- 
bile device 1 0 to function as a mobile phone. Also includ- 
ed among applications 58 is the software for implement- 
ing the VPN module 1 12. Each software application 58 
may include layout information defining the placement of 

20 particular fields in the user interface for the software ap- 
plication 58, such as text fields, input fields, etc. Those 
skilled in the art will appreciate that the operating system 
54, specific device applications 58, or parts thereof, may 
be temporarily loaded into a volatile store such as RAM 

25 26. Received communication signals may also be stored 
to RAM 26. 

[0031] The microprocessor 38, in addition to its oper- 
ating system functions, enables execution of software 
applications 58 on the device. A predetermined set of 

30 applications 58 which control basic device operations, 
including at least data and voice communication appli- 
cations for example, will normally be installed on the de- 
vice 1 0 during manufacture. Further applications may al- 
so be loaded onto the device 1 0 through the network 1 1 0, 

35 an auxiliary I/O subsystem 28, serial port 30, communi- 
cations subsystem 124, 126 or any other suitable sub- 
system 42, and installed by a user in the RAM 26 or a 
non-volatile store for execution by the microprocessor 38. 
[0032] The above-described embodiments of the 

40 present application are intended to be examples only. 
Alterations, modifications and variations may be effected 
to the particular embodiments by those skilled in the art 
without departing from the scope of the application, which 
is defined by the claims appended hereto. 

45 

Claims 

1. A method for protecting real-time data exchanged 
50 as packets between a mobile electronic device (1 0) 
and a VPN gateway (122) during a media session 
over a communications link (130) that comprises a 
wireless network (132), comprising: 

55 establishing a first VPN connection (136) be- 

tween the mobile electronic device (1 0) and the 
VPN gateway (122) through the communica- 
tions link (130), the first VPN connection (136) 
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using key-based encryption to protect data ex- 
changed therethrough; 

establishing, while the first VPN connection 
(136) is established, a second VPN connection 
(1 38) between the mobile electronic device (1 0) 
and the VPN gateway (122) through the com- 
munications link (1 30), the second VPN connec- 
tion (138) using key-based encryption to protect 
data exchanged therethrough; 
exchanging real-time data packets between the 
mobile electronic device (1 0) and the VPN gate- 
way (122) through the second VPN connection 
(138). 

2. The method of claim 1 wherein the second VPN con- 
nection (138) uses a different strength encryption 
algorithm than the first VPN connection (136). 

3. The method of claim 1 or claim 2 wherein a lower- 
bit encryption is used forthe second VPN connection 
(138) than the first VPN connection. 

4. The method of any one of claims 1 to 3 comprising 
providing key information for the second VPN con- 
nection (1 38) to at least one of the mobile electronic 
device (1 0) and VPN gateway (1 22) through the first 
VPN connection (136). 

5. The method of claim 4 wherein updated key infor- 
mation forthe second VPN connection (138) is pro- 
vided through the first VPN connection (136) at in- 
tervals while the second VPN connection (138) is 
established. 

6. The method of claim 5 wherein the updated key in- 
formation is exchanged at regular intervals while the 
second VPN connection (138) is established. 

7. The method of claim 5 wherein at least one of: 

the intervals at which the updated key informa- 
tion is provided; and 

a strength of the encryption used for the second 
VPN connection (138), is based on an identifi- 
cation of at least one of the mobile electronic 
device (10) and a terminal device (126) with 
which the mobile electronic device (10) is ex- 
changing the real-time data. 

8. The method of claim 5 wherein a terminal device 
(1 26) exchanges the real-time data with mobile elec- 
tronic device during a media session through the 
VPN gateway (1 22) and the second VPN connection 
1 38, the method comprising tracking information for 
media sessions between the mobile electronic de- 
vice (10) and the terminal device (126), wherein at 
least one of: 


the intervals at which the updated key informa- 
tion is provided; and 

a strength of the encryption used forthe second 
VPN connection (138), is based on the tracked 
5 information. 

9. The method of claim 8 wherein the tracked informa- 
tion comprises information about durations of previ- 
ous media sessions between the mobile electronic 

10 device (1 0) and the terminal device (1 26). 

10. The method of any one of claims 1 to 9 wherein the 
real-time data is VoIP voice data, the method com- 
prising setting up a VoIP media session between the 

15 mobile electronic device (1 0) and a terminal device 
(126) through the communications link (130) and 
VPN gateway (122), wherein the VoIP voice data is 
exchanged between the VPN gateway (1 22) and the 
mobile device (1 0) using the second VPN connection 
20 (138), and wherein the second VPN connection 
(138) is established forthe VoIP media session and 
then terminated upon completion of the VoIP media 
session. 

25 11. A mobile electronic device for engaging in a media 
session in which real-time data packets are ex- 
changed with a remote location, the mobile device 
comprising: 

30 a wireless communications subsystem 

(124,126) for exchanging data packets with the 
remote location (120) through a communica- 
tions link (130) that comprises a wireless net- 
work (132); 

35 a processor for controlling the communications 

subsystem; and 

a VPN module (112) associated with the proc- 
essor for establishing co-existing first and sec- 
ond VPN connections (136, 138) through the 
40 communications link (130) between the mobile 

electronic device (1 0) and the remote location 
and exchanging there-between real-time data 
through the second VPN connection (138). 

45 12. The mobile electronic device of claim 1 1 wherein the 
VPN module (1 1 2) is configured for applying a less- 
resource intensive encryption to real-time data sent 
through the second VPN connection (138) than to 
data sent through the first VPN connection (1 36). 

50 

13. The mobile electronic device of claim 1 1 orclaim12 
wherein the VPN module (112) is configured for re- 
ceiving key information through the first VPN con- 
nection (1 36) and using the received key information 

55 for encrypting and decrypting the real-time data ex- 
changed through the second VPN connection (1 38). 

14. The mobile electronic device of any one of claims 1 1 
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to 13 wherein the VPN module (112) is configured 
for generating encryption key information forthe sec- 
ond VPN connection (1 36) and for sending the gen- 
erated encryption key information through the first 
VPN connection (136) to the remote location. 

15. The mobile electronic device of claim 14 wherein the 
VPN module (112) is configured for generating and 
sending up-dated encryption key information forthe 
second VPN connection (138) at intervals while the 
second VPN connection (138) is established. 

16. A VPN gateway (1 22) for exchanging real-time data 
packets with a remote device (10) over a communi- 
cations link (130), the gateway (122) having means 
for establishing co-existing first and second VPN 
connections (1 36, 1 38) through the communications 
link (130) between the VPN gateway (122) and the 
remote device (10) location and exchanging there- 
between real-time data through the second VPN 
connection (138). 

1 7. The VPN gateway (1 22) of claim 1 6 wherein the gate- 
way (1 22) is configured for applying a less-resource 
intensive encryption to real-time data sent through 
the second VPN connection (138) than to data sent 
through the first VPN connection (1 36). 

18. The VPN gateway (122) of claim 16 or claim 17 
wherein the gateway (122) is configured for gener- 
ating encryption key information forthe second VPN 
connection (1 36) and for sending the generated en- 
cryption key information through the first VPN con- 
nection (136) to the remote location. 

19. The VPN gateway (122) of claim 18 wherein the gate- 
way is configured for generating and sending up- 
dated encryption key information forthe second VPN 
connection (1 38) at intervals while the second VPN 
connection (138) is established. 

20. The VPN gateway (122) of claim 19 wherein the gate- 
way is configured to determine the intervals for gen- 
erating and sending the up-dated encryption key in- 
formation based on an identity of at least the remote 
device or a further device that the real-time data 
packets are being exchanged with. 

21. The VPN gateway (122) of claim 19 or claim 20 
wherein the gateway is configured to determine an 
encryption strength forthe up-dated encryption key 
information based on an identity of at least the re- 
mote device or a further device that the real-time 
data packets are being exchanged with. 

22. A computer program product for protecting real-time 
data exchanged as packets between a mobile elec- 
tronic device (10) and a VPN gateway (122) during 


a media session over a communications link (130) 
that comprises a wireless network (132), the com- 
puter program product comprising a computer read- 
able medium embodying program code means ex- 
5 ecutable by a processor of the mobile electronic de- 

vice (1 0) and/or VPN (1 22) gateway for implement- 
ing the method of any one of claims 1 to 1 0. 

23. A communications system comprising at least one 
10 mobile electronic device (10) according to any one 
of claims 11 to 15 and/or a VPN gateway (122) ac- 
cording to any one of claims 1 6 to 21 . 


15 Amended claims in accordance with Rule 86(2) EPC. 

1 . A method for protecting real-time data exchanged 
as packets between a mobile electronic device (1 0) 
and a VPN gateway (122) during a media session 

20 over a communications link (130) that comprises a 
wireless network (132), comprising: 

establishing a first VPN connection (136) be- 
tween the mobile electronic device (1 0) and the 
25 VPN gateway (122) through the communica- 

tions link (130), the first VPN connection (136) 
using key-based encryption to protect data ex- 
changed therethrough; 
wherein the method further comprises: 

30 

establishing, while the first VPN connection 
(1 36) is established, a second VPN connec- 
tion (1 38) between the mobile electronic de- 
vice (10) and the VPN gateway (122) 
35 through the communications link (1 30), the 

second VPN connection (138) using key- 
based encryption to protect data exchanged 
therethrough; 

exchanging real-time data packets between 
40 the mobile electronic device (10) and the 

VPN gateway (122) through the second 
VPN connection (138). 

2. The method of claim 1 wherein the second VPN 
45 connection (1 38) uses a different strength encryption 

algorithm than the first VPN connection (136). 

3. The method of claim 1 or claim 2 wherein a lower- 
bit encryption is used forthe second VPN connection 

50 (138) than the first VPN connection. 

4. The method of any one of claims 1 to 3 comprising 
providing key information for the second VPN con- 
nection (1 38) to at least one of the mobile electronic 

55 device (1 0) and VPN gateway (1 22) through the first 
VPN connection (136). 

5. The method of claim 4 wherein updated key infor- 
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mation for the second VPN connection (138) is pro- 
vided through the first VPN connection (136) at in- 
tervals while the second VPN connection (138) is 
established. 

5 

6. The method of claim 5 wherein the updated key 
information is exchanged at regular intervals while 
the second VPN connection (138) is established. 

7. The method of claim 5 wherein at least one of: 10 

(i) the intervals at which the updated key infor- 
mation is provided and 

(ii) a strength of the encryption used for the sec- 
ond VPN connection (138), is 

is based on an identification of at least one of the 
mobile electronic device (10) and a terminal device 
(1 26) with which the mobile electronic device (1 0) is 
exchanging the real-time data. 20 

8. The method of claim 5 wherein a terminal device 
(1 26) exchanges the real-time data with mobile elec- 
tronic device during a media session through the 
VPN gateway (1 22) and the second VPN connection 25 
1 38, the method comprising tracking information for 
media sessions between the mobile electronic de- 
vice (10) and the terminal device (126), wherein at 
least one of: 

30 

(i) the intervals at which the updated key infor- 
mation is provided and 

(ii) a strength of the encryption used for the sec- 
ond VPN connection (138), 

35 

is based on the tracked information. 

9. The method of claim 8 wherein the tracked infor- 
mation comprises information about durations of 
previous media sessions between the mobile elec- 
tronic device (10) and the terminal device (126). 

10. The method of any one of claims 1 to 9 wherein 
the real-time data is VoIP voice data, the method 
comprising setting up a VoIP media session between 45 
the mobile electronic device (1 0) and a terminal de- 
vice (126) through the communications link (130) 
and VPN gateway (1 22), wherein the Vol P voice data 

is exchanged between the VPN gateway (122) and 
the mobile device (10) using the second VPN con- 50 
nection (1 38), and wherein the second VPN connec- 
tion (138) is established for the VoIP media session 
and then terminated upon completion of the VoIP 
media session. 

55 

1 1 . A mobile electronic device for engaging in a me- 
dia session in which real-time data packets are ex- 
changed with a remote location, the mobile device 


comprising: 

a wireless communications subsystem 
(124,126) for exchanging data packets with the 
remote location (120) through a communica- 
tions link (130) that comprises a wireless net- 
work (132); 

a processor for controlling the communications 
subsystem; and wherein: 

a VPN module (112) associated with the 
processor for establishing co-existing first 
and second VPN connections (136, 138) 
through the communications link (130) be- 
tween the mobile electronic device (1 0) and 
the remote location and exchanging there- 
between real-time data through the second 
VPN connection (138). 

1 2. The mobile electronic device of claim 1 1 wherein 
the VPN module (112) is configured for applying a 
less-resource intensive encryption to real-time data 
sent through the second VPN connection (138) than 
to data sent through the first VPN connection (1 36). 

13. The mobile electronic device of claim 11 or claim 
12 wherein the VPN module (1 12) is configured for 
receiving key information through the first VPN con- 
nection (1 36) and using the received key information 
for encrypting and decrypting the real-time data ex- 
changed through the second VPN connection (1 38). 

1 4. The mobile electronic device of any one of claims 
1 1 to 1 3 wherein the VPN module (1 1 2) is configured 
for generating encryption key information forthe sec- 
ond VPN connection (1 36) and for sending the gen- 
erated encryption key information through the first 
VPN connection (136) to the remote location. 

1 5. The mobile electronic device of claim 1 4 wherein 
the VPN module (112) is configured for generating 
and sending up-dated encryption key information for 
the second VPN connection (138) at intervals while 
the second VPN connection (138) is established. 

16. A VPN gateway (122) for exchanging real-time 
data packets with a remote device (1 0) over a com- 
munications link (130), the gateway (122) wherein 
means for establishing co-existing first and second 
VPN connections (136, 138) through the communi- 
cations link (130) between the VPN gateway (122) 
and the remote device (1 0) location and exchanging 
there-between real-time data through the second 
VPN connection (138). 

1 7. The VPN gateway (1 22) of claim 1 6 wherein the 
gateway (122) is configured for applying a less-re- 
source intensive encryption to real-time data sent 
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through the second VPN connection (138) than to 
data sent through the first VPN connection (1 36). 

1 8. The VPN gateway (1 22) of claim 1 6 or claim 1 7 
wherein the gateway (122) is configured for gener- 5 
ating encryption key information forthe second VPN 
connection (1 36) and for sending the generated en- 
cryption key information through the first VPN con- 
nection (136) to the remote location. 

10 

19. The VPN gateway (122) of claim 18 wherein the 
gateway is configured for generating and sending 
up-dated encryption key information for the second 
VPN connection (1 38) at intervals while the second 
VPN connection (138) is established. 15 

20. The VPN gateway (1 22) of claim 1 9 wherein the 
gateway is configured to determine the intervals for 
generating and sending the up-dated encryption key 
information based on an identity of at least the re- 20 
mote device or a further device that the real-time 
data packets are being exchanged with. 

21 . The VPN gateway (1 22) of claim 1 9 or claim 20 
wherein the gateway is configured to determine an 25 
encryption strength forthe up-dated encryption key 
information based on an identity of at least the re- 
mote device or a further device that the real-time 
data packets are being exchanged with. 

30 

22. A computer program product for protecting real- 
time data exchanged as packets between a mobile 
electronic device (10) and a VPN gateway (1 22) dur- 
ing a media session over a communications link 
(130) that comprises a wireless network (132), the 35 
computer program product comprising a computer 
readable medium embodying program code means 
executable by a processor of the mobile electronic 
device (10) and/or VPN (122) gateway for imple- 
menting the method of any one of claims 1 to 1 0. ^o 

23. A communications system comprising at least 
one mobile electronic device (10) according to any 
one of claims 11 to 1 5 and/or a VPN gateway (1 22) 
according to any one of claims 1 6 to 21 . 45 
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